New Delhi: Mergers and acquisitions in cyber security totalled $10 billion (Rs 51,400 crore) globally in the first half of the year, according to consultancy firm PricewaterhouseCoopers. That’s an increase of 70% against the total value of deals struck in all of last year. In an interview, J. Paul Nicholas, director, global security strategy and diplomacy/trustworthy computing at Microsoft Corp., who is in India this week, says the sheer number of people expected to be online in the next few years is driving the importance of cyber security both among countries and corporations. Edited excerpts:

There is an increased buzz around cyber security these days. What’s creating it?

Online safety: Nicholas says it is a little early to have an international treaty on cyber security. Photo: Priyanka Parashar/Mint

The US is working on another law on cyber security that talks about some kind of information sharing between the private and the public sectors. What does it seek to achieve?

There are three things to keep in mind about this legislation. Firstly, it’s being built on top of lots of voluntary activity which has been happening in the private sector for over 10 years. The second thing is it’s meant to reform risk management, it tries to anticipate how we will respond to emergencies. It creates a framework for enabling partnerships to be more sustainable.

Watch Video

Watch what J Paul Nicholas has to say about growing menace of cyber crime and India’s cyber security policies.

Loading Video

There are several laws already in place in the US that address cyber security. Why have another one?

This one adds a couple of important things. It requires companies to have a security plan and a security response strategy. Many companies already have that. We at Microsoft have had that for a long time and I am sure most of the big telecom and banking companies have that. But the blood of the American economy is its small and medium businesses, and many of them don’t have such a strategy. So the legislation tries to identify what is critical national infrastructure and then nearly try to tailor that to make sure that companies that play a key role have the right plan in place.

The second part is to make sure that they can come together to share information and the government will help eliminate roadblocks. It’s not a checklist of dos and don’ts. Sometimes people look at cyber security as, “if I do these 30 things, I will be secure", but it’s far more complex than that. By doing this, they are trying to identify the function which is most important for the nation and the economy. And then to define the risk management practices to go and address those.

The third is when something bad happens, something will happen at some point, be it technology or a national disaster, etc., do we have the processes that can respond to it in the government?

With this US legislation as a backdrop, do you think the Indian government is doing enough to tackle cyber crime?

I think the Indian government is doing really interesting work with the passage of the IT (Information Technology) Act in 2000 and the subsequent revisions. It has strengthened CERT (Computer Emergency Response Team) and other government capabilities here. India faces many unique challenges. There are about 83 million people online in the country and it is projected that it will breach 237 million by the year 2015. That is an extensive growth online and it increases the demand for things like governance, telecom services and smartphones, etc. I think the Indian government has identified many of the key things that require attention, and it’s important that they address these in a way that is helpful to both India and is also a recognition that India is the key to many countries’ supply chains. Whatever policy India creates is going to have a global impact. It is up to the policymakers to realize the balance between national and international, all at one time.

There are talks about how future wars will be fought online and how there is a need for an international convention to deal with cyber crime. What’s your take on this?

There has been a lengthy global dialogue about what’s needed for cyber security. Should there be an international agreement or should there be a set of norms in terms of accepted behaviour between countries? In my view, it is a little bit early to have an international treaty. I think it takes a really long time to create that.

On the other hand, there are things today where we have normative behaviour in cyber security. I will highlight two of those. One is on Internet response. So when a problem emerges, how do companies, etc., respond to that? The second one is in terms of building those tools. Microsoft has been a leader in that. We have been working with researchers to understand where there is a problem and building solutions for those problems and releasing them in a way that they can be adopted by the ecosystem with the least amount of disruption. I think those two things could become more international.

Do you think emerging economies such as India have a lot to catch up on as more advanced countries such as the US already have best practices and legislations in place?

Even if there is what appears to be a significant gap between those countries in terms of maturity of legislation, they all face the same problems. Cyber crime is exploding, people are facing targeted attacks, etc. In my view, it creates a level ground for countries and companies to talk about what the challenges are.

But countries such as India will have to leapfrog to a level where they can share a common set of global standards.

Yes, that’s true. But in some ways, they can learn from other countries’ mistakes. So they are able to get through that gap faster. Like in the early days in the US, where programmes were being implemented and people would say, “Oh, there have been so many delays, but we have learnt so many lessons." But now it’s easier to say that here is a model somebody else can look at. I think the greatest gap is about people coming together on what the challenges are and putting together the right model to deal with it.